Ruby's openssl extension tries to load certificates as PEM format first, and on failure will try to do DER / ASN1. The PEM format loading ignores junk in the beginning and end of the given buffer, which can lead to a DER certificate being incorrectly loaded. This occurs on 1.9.3 and 2.2.0.

More concretely this occurs in the wild when a server certificate has a X509 extension comment that includes another certificate in PEM format. Example below.

To fix this, one could allow the user to optionally specify the format, and do DER directly if specified. That would keep things backwards compatible and allow these certificates to be correctly parsed.

I worked on implementing support for adding a :format keyword to OpenSSL::X509::Certificate#initialize, allowing you to specify format: :der if you didn't want to try loading it as a PEM. A patch for that is attached (for the ruby-openssl repository).

For the certificate provided, using LibreSSL 3.0.0, both PEM_read_bio_X509 and d2i_X509_bio with the certificate return NULL, with the OpenSSL error: "nested asn1 error". Are you actually able to get the certificate to work with a modern version of OpenSSL or LibreSSL?